CVE-2026-41917: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Openkm OpenKM Community Edition
OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers can exploit this to access sensitive files including /etc/passwd, configuration files containing database credentials, and JVM keystores accessible to the OpenKM process.
AI Analysis
Technical Summary
CVE-2026-41917 is a local file inclusion vulnerability in OpenKM Community Edition 6.3.12 affecting the administrative scripting interface endpoint (/admin/Scripting). The vulnerability allows authenticated administrators to supply an attacker-controlled filesystem path via the fsPath parameter with action=Load, bypassing pathname restrictions and enabling arbitrary file reads. This can expose sensitive files including system password files, database credential configurations, and JVM keystores accessible by the OpenKM process. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond administrator, no user interaction, and high impact on confidentiality.
Potential Impact
Successful exploitation allows an authenticated administrator to read arbitrary files on the server hosting OpenKM, potentially exposing sensitive system and application data such as user account information, database credentials, and cryptographic keystores. This could lead to further compromise of the system or data confidentiality breaches. The vulnerability does not require user interaction and has a medium severity rating with a CVSS score of 6.9. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict administrative interface access to trusted personnel only and monitor for suspicious activity. Avoid exposing the administrative scripting interface to untrusted networks. Follow vendor communications for updates on patches or official mitigations.
CVE-2026-41917: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Openkm OpenKM Community Edition
Description
OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers can exploit this to access sensitive files including /etc/passwd, configuration files containing database credentials, and JVM keystores accessible to the OpenKM process.
CVSS v4.0
Score 6.9medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41917 is a local file inclusion vulnerability in OpenKM Community Edition 6.3.12 affecting the administrative scripting interface endpoint (/admin/Scripting). The vulnerability allows authenticated administrators to supply an attacker-controlled filesystem path via the fsPath parameter with action=Load, bypassing pathname restrictions and enabling arbitrary file reads. This can expose sensitive files including system password files, database credential configurations, and JVM keystores accessible by the OpenKM process. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond administrator, no user interaction, and high impact on confidentiality.
Potential Impact
Successful exploitation allows an authenticated administrator to read arbitrary files on the server hosting OpenKM, potentially exposing sensitive system and application data such as user account information, database credentials, and cryptographic keystores. This could lead to further compromise of the system or data confidentiality breaches. The vulnerability does not require user interaction and has a medium severity rating with a CVSS score of 6.9. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict administrative interface access to trusted personnel only and monitor for suspicious activity. Avoid exposing the administrative scripting interface to untrusted networks. Follow vendor communications for updates on patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-04-22T15:20:49.860Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a15af1f891d628fdc46f9ee
Added to database: 5/26/2026, 2:33:03 PM
Last enriched: 5/26/2026, 2:48:48 PM
Last updated: 5/26/2026, 9:23:50 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.